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As the economy and society continue to open up with the lessening of some COVID-19 
restrictions, many employers are seeking to understand what information they need to 
process in relation to their employees return to the workplace. In particular, the 
question has been raised as to whether employers can lawfully collect and process 
information about the COVID-19 vaccination status of their employees. 


The advice from public health authorities in Ireland should indicate what data 
processing is necessary and legitimate in the context of managing COVID-19 in the 
workplace. The primary source of information in this context is the Work Safely 


Protocol: COVID-19 National Protocol for Employers and Workers. 


The Protocol sets out a number of requirements that will require employers to process 
personal data. For example, employers should keep a log of contacts to facilitate 
contact tracing. Employees should also complete a pre-Return to Work form, which 
contains their personal data. The Protocol does not currently require employers to 
collect any information regarding vaccination status and this is not required for 
pre-Return to Work forms. 


Employers should only process COVID-19 vaccination data where necessary to achieve a 
specific, legitimate purpose in line with general and sector-specific public health advice. 
This guidance document is based upon current public health guidance, and may be 
subject to change accordingly. 


Data Minimisation 


The Protocol states that, “Irrespective of the vaccination roll-out, Public Health infection 
prevention and control measures (such as physical distancing, hand hygiene, face 
coverings, adequate ventilation), and working from home unless an employee's physical 
presence in the workplace is necessary, will all need to remain in place”. The full suite of 
measures that employers can employ to maintain workplace safety should be 
considered before making any assessment as to whether knowledge of vaccination 
status is necessary. In accordance with the principle of data minimisation, employers 
should implement all such measures that avoid processing the personal data of 
employees in the first place. 
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Voluntary Nature of Vaccination 


Information about a person's vaccination status is special category personal data for the 
purposes of the GDPR. It represents part of their personal health record, and is 
afforded additional protections under data protection law. The Protocol states that the 
decision to get a vaccine is voluntary and that individuals will make their own decisions 
in this regard. This suggests that COVID-19 vaccination should not in general be 
considered a necessary workplace safety measure and consequently, the processing of 
vaccine data is unlikely to be necessary or proportionate in the most employment 
contexts. 


Specific Employment Contexts 


There are some specific employment contexts within which the processing of data 
revealing vaccination status may be deemed necessary, subject to a risk assessment 
and with reference to sector-specific public health guidance. 


The current version of the Protocol suggests that there are a limited set of 
circumstances in which vaccination should be offered as a workplace health and safety 
measure (as provided for under the Safety, Health and Welfare at Work (Biological 
Agents) Regulations 2013 and 2020). 


There may be further situations, such as in the provision of healthcare services, where 
vaccination can be considered a necessary safety measure, based on relevant sector 
specific guidance. For example, the Medical Council’s Guide to Professional Conduct and 
Ethics for Registered Medical Practitioners states that practitioners “should be 
vaccinated against common communicable diseases”. 


In these various situations, it is possible that an employer will be able to identify a 
legitimate reason to know whether their employees have been vaccinated or not, for 
the purposes of managing the health of safety of workers and visitors. Employers 
should conduct a risk assessment, with reference to any sector-specific public health 
advice to determine whether the measures that they consider necessary require 
knowledge of employees’ vaccination status. 


Imbalance of Power 


The processing of personal data in the context of employment takes place in a situation 
where there is an imbalance between the data subject (employee) and data controller 
(employer). Therefore, employees should not be asked to consent to the processing of 
vaccine data, as this consent is not likely to be freely given. Therefore the processing of 
vaccine data will require a specific set of circumstances underpinned by a legitimate 
reason other than consent. 
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Medical Officer of Health 


In the course of carrying out their public health duties under the Infectious Diseases 
Regulations 1981, as amended, a Medical Officer of Health may require access to the 
vaccination status of employees. This limited type of processing may occur where an 
outbreak of COVID-19 has been identified in a workplace, and is specifically permissible 
under data protection law where carried out on a case-by-case basis, subject to the 
determination of necessity and at the request of the Medical Officer of Heath. 


This guidance above will be subject to review if the public health advice and laws 
relating to the nature of the virus, the pandemic and the interplay with vaccination 
change. Employers with questions about the collection of vaccine information in their 
specific sector or in a particular context should have recourse to the most up-to-date 
public health guidance in the first place. 





